phantom/etc-configs
1
0
Fork 0
forked from Fijxu/etc-configs
Code Pull requests Activity

Compare commits

merge into: phantom:main
Branches Tags
phantom:main
phantom:selfhost
phantom:oracle
phantom:vpsus
phantom:veil
phantom:vpscl
phantom:selfhost-old
Fijxu:selfhost
Fijxu:vpsus
Fijxu:main
Fijxu:veil-old
Fijxu:oracle-old
Fijxu:vpscl-old
Fijxu:selfhost-old
...
pull from: phantom:vpscl
Branches Tags
phantom:selfhost
phantom:main
phantom:oracle
phantom:vpsus
phantom:veil
phantom:vpscl
phantom:selfhost-old
Fijxu:selfhost
Fijxu:vpsus
Fijxu:main
Fijxu:veil-old
Fijxu:oracle-old
Fijxu:vpscl-old
Fijxu:selfhost-old

No commits in common. "main" and "vpscl" have entirely different histories.
main ... vpscl

17 changed files with 498 additions and 16 deletions
Show stats Expand all files Collapse all files

16
README.md
View file

@ -1,16 +0,0 @@
You can find my server configs in this repo, they are split in different branches.
- [🌑 Selfhost Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/selfhost)
- [🇺🇸 VPS Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/vpsus)
- [🌌 Veil Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/veil) (**New**)
- [🇨🇱 Oracle VPS Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/oracle)
#### Suggestions or Issues?
If you got any suggestions to the nginx configs or something that is not to your liking within the privacy-focused services I provide; Open an issue or a pull request in any config. You can either create an account with your real E-mail or with a throw away one (But probably you will be considered as a bad actor for me if you don't provide any real identity like GitHub, GitLab, Codeberg or anything like that, so make sure to link any of those).
*Contact*: [https://nadeko.net/contact](https://nadeko.net/contact)

11
nginx/configs/general.conf Normal file
View file

@ -0,0 +1,11 @@
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# brotli
#brotli on;
#brotli_comp_level 6;
#brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

20
nginx/configs/proxyheaders.conf Normal file
View file

@ -0,0 +1,20 @@
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy SSL
proxy_ssl_server_name on;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

12
nginx/configs/securityheaders.conf Normal file
View file

@ -0,0 +1,12 @@
# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
#add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}

102
nginx/nginx.conf Executable file
View file

@ -0,0 +1,102 @@
worker_processes auto;
worker_rlimit_nofile 65535;
# Include Modules
include /etc/nginx/modules-enabled/*.conf;
#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
#load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
#load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
# Include external config
include /etc/nginx/conf.d/*.conf;
events {
multi_accept on;
worker_connections 65535;
}
stream {
include /etc/nginx/streams/*.conf;
}
http {
# Basic Settings
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 4096;
types_hash_bucket_size 64;
# Virtual Host Configs
include /etc/nginx/sites-enabled/*.conf;
# MIME
include mime.types;
default_type application/octet-stream;
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers off;
#
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# HTTP2 Settings
http2_max_field_size 64k;
http2_max_header_size 512k;
# DDOS Protection
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn perip 100;
limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s;
limit_req_zone $binary_remote_addr zone=static:10m rate=100r/s;
# reset timed out connections freeing ram
reset_timedout_connection on;
# maximum time between packets the client can pause when sending nginx any data
client_body_timeout 10s;
# maximum time the client has to send the entire header to nginx
client_header_timeout 10s;
# timeout which a single keep-alive client connection will stay open
keepalive_timeout 65s;
# maximum time between packets nginx is allowed to pause when sending the client data
send_timeout 10s;
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}
}

33
nginx/sites-available/ayayabeauty.conf Executable file
View file

@ -0,0 +1,33 @@
server {
server_name ayaya.beauty;
location /.well-known/matrix/server {
return 200 '{ "m.server": "matrix.ayaya.beauty:443" }';
}
location /.well-known/matrix/client {
# If your sever_name here doesn't match your matrix homeserver URL
# (e.g. hostname.com as server_name and matrix.hostname.com as homeserver URL)
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.homeserver": { "base_url": "https://matrix.ayaya.beauty" } }';
}
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/ayaya.beauty/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ayaya.beauty/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = ayaya.beauty) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name ayaya.beauty;
return 404; # managed by Certbot
}

33
nginx/sites-available/count.ayaya.beauty.conf Executable file
View file

@ -0,0 +1,33 @@
server {
access_log /var/log/nginx/count.ayaya.beauty.log combined;
server_name count.ayaya.beauty;
include configs/general.conf;
include configs/securityheaders.conf;
location / {
proxy_pass http://127.0.0.1:41000/;
include configs/proxyheaders.conf;
}
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/count.ayaya.beauty/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/count.ayaya.beauty/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = count.ayaya.beauty) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name count.ayaya.beauty;
listen 80;
return 404; # managed by Certbot
}

56
nginx/sites-available/matrix.conf Executable file
View file

@ -0,0 +1,56 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# For the federation port
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
server_name matrix.zzls.xyz;
location ~ ^(/_matrix|/_synapse/client) {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "sameorigin";
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
}
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.zzls.xyz"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
ssl_certificate /etc/letsencrypt/live/matrix.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/matrix.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = matrix.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name matrix.zzls.xyz;
return 404; # managed by Certbot
}

38
nginx/sites-available/matrix2.conf Executable file
View file

@ -0,0 +1,38 @@
server {
server_name matrix.ayaya.beauty; # EDIT THIS
access_log /var/log/nginx/matrix.log;
#merge_slashes off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 600;
location /_matrix/ {
proxy_pass http://127.0.0.1:8008;
# proxy_set_header Host $http_host;
# proxy_buffering off;
}
client_max_body_size 20M;
listen 443 ssl http2; # managed by Certbot
listen 8448 ssl http2;
listen [::]:8448 ssl http2;
ssl_certificate /etc/letsencrypt/live/matrix.ayaya.beauty/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/matrix.ayaya.beauty/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = matrix.ayaya.beauty) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name matrix.ayaya.beauty;
return 404; # managed by Certbot
}

42
nginx/sites-available/nimuvt.multex.software.conf Executable file
View file

@ -0,0 +1,42 @@
error_log /var/log/nginx/nimuerr.log;
access_log /var/log/nginx/nimu.log;
upstream nimuvt-botsite {
server unix:///tmp/remote_socket;
}
upstream nimuvt-websocket {
server unix:///var/run/pajbot/nimuvt/websocket.sock;
}
server {
#listen 443 ssl http2;
#listen [::]:443 ssl http2;
#ssl_certificate /etc/letsencrypt/live/multex.software/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/multex.software/privkey.pem;
listen 80;
server_name nimuvt.multex.software;
charset utf-8;
location /api/ {
uwsgi_pass nimuvt-botsite;
include uwsgi_params;
expires epoch;
}
location / {
uwsgi_pass nimuvt-botsite;
include uwsgi_params;
expires epoch;
add_header Cache-Control "public";
}
location /clrsocket {
proxy_pass http://nimuvt-websocket/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

71
nginx/sites-available/search.zzls.xyz.conf Executable file
View file

@ -0,0 +1,71 @@
server {
access_log /var/log/nginx/search.access.log;
error_log /var/log/nginx/search.error.log;
server_name search.zzls.xyz;
include configs/general.conf;
if ($server_protocol ~* "HTTP/1.0") {
return 444;
}
if ($http_user_agent ~* (python) ) {
return 403;
}
location / {
proxy_pass http://127.0.0.1:8888/;
#
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy headers for the Limiter
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
}
location /searx/static/ {
alias /usr/local/searx/searx-src/searx/static/;
}
# Onion Service Header
add_header Onion-Location http://searxdr3pqz4nydgnqocsia2xbywptxbkympa2emn7zlgggrir4bkfad.onion$request_uri;
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
# CSP + Security Headers
# include configs/securityheaders.conf;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;
quic_retry on;
quic_gso on;
ssl_early_data on;
ssl_session_ticket_key /etc/nginx/http3key.key;
listen 443 http3;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/search.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/search.zzls.xyz/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = search.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name search.zzls.xyz;
return 404; # managed by Certbot
}

35
nginx/sites-available/status.zzls.xyz.conf Normal file
View file

@ -0,0 +1,35 @@
server {
access_log /var/log/nginx/status.zzls.xyz.log combined;
server_name status.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
location / {
proxy_pass http://127.0.0.1:41030/;
include configs/proxyheaders.conf;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/status.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/status.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = status.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name status.zzls.xyz;
listen 80;
return 404; # managed by Certbot
}

1
nginx/sites-enabled/count.ayaya.beauty.conf Symbolic link
View file

@ -0,0 +1 @@
../sites-available/count.ayaya.beauty.conf

1
nginx/sites-enabled/search.zzls.xyz.conf Symbolic link
View file

@ -0,0 +1 @@
../sites-available/search.zzls.xyz.conf

1
nginx/sites-enabled/status.zzls.xyz.conf Symbolic link
View file

@ -0,0 +1 @@
../sites-available/status.zzls.xyz.conf

1
sysctl.d/99-swappiness.conf Normal file
View file

@ -0,0 +1 @@
vm.swappiness=10

41
sysctl.d/internettweaks.conf Normal file
View file

@ -0,0 +1,41 @@
#TCP Tweaks
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fastopn = 3
net.ipv4.tcp_fin_timeout = 10
# disable tcp timestamps to avoid leaking some system information
# https://www.whonix.org/wiki/Disable_TCP_and_ICMP_Timestamps
net.ipv4.tcp_timestamps=0
#TCP BBR Congestion Control Algoritm
net.core.default_qdisc = cake
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_notsent_lowat = 16384
#Ignore ICMP Ping requests
#net.ipv4.icmp_echo_ignore_all = 1
#net.ipv6.icmp.echo_ignore_all = 1
#Increase the memory dedicated to the network interfaces
net.core.rmem_default = 1048576
net.core.rmem_max = 16777216
net.core.wmem_default = 1048576
net.core.wmem_max = 16777216
net.core.optmem_max = 65536
net.ipv4.tcp_rmem = 4096 1048576 2097152
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
# increase aslr effectiveness for mmap
# https://lwn.net/Articles/667790
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
#SYN Flood Protection
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_syn_retries = 6
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syncookies = 1